CWE•Variant•Incomplete•20 recent CVEs
CWE-35Path Traversal: '.../...//'
Description
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.
Common consequences
- Confidentiality,Integrity→Read Files or Directories,Modify Files or Directories,Bypass Protection MechanismNot properly neutralizing '.../...//' (doubled triple dot slash) allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.
Potential mitigations
- Implementation[object Object]
- ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Related CWEs
Recent CVEs classified under this CWE
CVE-2026-401289.02026-06-09CVE-2026-243154.22026-06-09CVE-2026-456619.92026-05-29CVE-2026-449337.82026-05-20CVE-2026-454958.82026-05-18CVE-2026-73029.12026-05-18CVE-2026-429308.72026-05-13CVE-2026-244646.82026-05-13CVE-2026-257058.42026-05-13CVE-2026-08046.72026-05-12CVE-2026-422742026-05-08CVE-2026-200348.82026-05-06CVE-2026-02056.82026-04-29CVE-2026-60749.82026-04-23CVE-2026-253977.52026-03-25CVE-2025-679147.72026-01-08CVE-2025-462566.42026-01-07CVE-2025-289736.52025-12-31CVE-2025-480908.12025-11-06CVE-2025-394678.12025-11-06